Conservancy/reimbursinator
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Switched both static and api servers over to SSL connection-only. Added self-signed certificate for testing.

Browse source
This commit is contained in:
kououken 2018-12-22 12:48:15 -06:00
parent eee1bfb680
commit 2bdd44e1f6
6 changed files with 117 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
app/reimbursinator/settings.py
View file

@ -118,3 +118,9 @@ USE_TZ = True
# https://docs.djangoproject.com/en/2.1/howto/static-files/ # https://docs.djangoproject.com/en/2.1/howto/static-files/
STATIC_URL = '/static/' STATIC_URL = '/static/'
# SSL Configuration
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
SECURE_SSL_REDIRECT = True
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True

22
config/default.conf Normal file
View file

@ -0,0 +1,22 @@
server {
server_name localhost;
listen 443;
ssl on;
ssl_certificate /etc/ssl/selfsigned.crt;
ssl_certificate_key /etc/ssl/selfsigned.key;
client_max_body_size 4G;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
}

32
config/nginx.conf Normal file
View file

@ -0,0 +1,32 @@
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}

20
config/selfsigned.crt Normal file
View file

@ -0,0 +1,20 @@
-----BEGIN CERTIFICATE-----
MIIDVDCCAjygAwIBAgIJANSXcVJxmIYNMA0GCSqGSIb3DQEBCwUAMD8xCzAJBgNV
BAYTAlVTMQ8wDQYDVQQIDAZPcmVnb24xETAPBgNVBAcMCFBvcnRsYW5kMQwwCgYD
VQQKDANQU1UwHhcNMTgxMjIyMTczMjMwWhcNMTkxMjIyMTczMjMwWjA/MQswCQYD
VQQGEwJVUzEPMA0GA1UECAwGT3JlZ29uMREwDwYDVQQHDAhQb3J0bGFuZDEMMAoG
A1UECgwDUFNVMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzBLLMprD
v1BVODoKHrt+QAd1vDuw0UCR61ytWNQSjMWG+rl4MD+gHq/BK4r2RiuC4E+mLe0O
pEYdyVC2K5BBs5jS8XD+DML66rSNxMaSvBgRtmlWqBEbI14h2uReQmr0v/lKJlqS
i5UemkdfNZkMy3xPmnRPvbwu4raPbUpTlrKs/lpc6sNKxNWudbsfIocGFbOHTlGE
y9ii1L2z6Bsfla5yvVujttFw/QsZyImdThDruphI54jS40JG/BDxjwDB8MOAAmrB
KlvG+GlcdiTBRg0XSeVBp3kBg/O+ImZV4TOlEcdX4g0NzAMIQ3hokhr82H4JXE33
zcAHb0mVSXCkowIDAQABo1MwUTAdBgNVHQ4EFgQUX3KwNO6WuuYrUgaBvctCMolv
VH4wHwYDVR0jBBgwFoAUX3KwNO6WuuYrUgaBvctCMolvVH4wDwYDVR0TAQH/BAUw
AwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAP20CbT+Nd+Z5VxW3jzjDRz6eKIQ6cwU0
9juOh2aTKe3dm3b2Y5Ddg8T6cDIaOjWIt0UeoxdueCC8nmGskrWU9aYHNrxgKff/
qrWv9hNseslkNyX52J0VhI7bFXs/UWro0ZXcpGhgZy51oFErGvLdpLp02pvaqP6B
SQOkHLiVGS50l9/GAyHcxFSQ4MCdqyhx3q9QiyFCvmpfCBoBVFjOBS9Ac2XBLoo8
7p8JplZ5NSazw4if1+ilz/sAzpUyYAgISUuzzFlAPI6tHgN1t6NrbWflKAsV75qc
/zYm9q2XIGQmr4QN0v8lU/AYavD3HgQ4Jgbxt3MTZRxpVFggKDqnJw==
-----END CERTIFICATE-----

28
config/selfsigned.key Normal file
View file

@ -0,0 +1,28 @@
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDMEssymsO/UFU4
Ogoeu35AB3W8O7DRQJHrXK1Y1BKMxYb6uXgwP6Aer8ErivZGK4LgT6Yt7Q6kRh3J
ULYrkEGzmNLxcP4MwvrqtI3ExpK8GBG2aVaoERsjXiHa5F5CavS/+UomWpKLlR6a
R181mQzLfE+adE+9vC7ito9tSlOWsqz+Wlzqw0rE1a51ux8ihwYVs4dOUYTL2KLU
vbPoGx+VrnK9W6O20XD9CxnIiZ1OEOu6mEjniNLjQkb8EPGPAMHww4ACasEqW8b4
aVx2JMFGDRdJ5UGneQGD874iZlXhM6URx1fiDQ3MAwhDeGiSGvzYfglcTffNwAdv
SZVJcKSjAgMBAAECggEBAI4NKvp/tnBOh/OKmw7Hbls9lhu/5RXTf3841MV3Ya4x
tQKD5gCX2Wpi5vDbWxB/Kyve5Yskb0O0NvmyQAxU7xcH8xXzlDPn6WdE5UYq/2sE
yheSfaqhtaVJ2gEXY/GRp+qVqaLG+ylEVLgJpGGXtstSLcsS2Yr2GiDf+TiXO1Yy
rW/jvxLn4svKhdnHdTyYjGvhLzVSkEOv7TJQy0o51l7ORZJI61oxLRMU4Y8qsoeq
zHv9ij0zgvetBwd2L6SmDYltnDkt8hvIOR0xYM/rkGSV4iaZnERiG+8EyBSIws4V
T56Nl87fbbmro1HozMStQz4+CqMqnPOU7ZD1v4xYZaECgYEA6Cga2NoqBPSQp8O+
eWaQGdxFU+rabmw2TmPO52HTLiaxxpKtJmLrPFYd2uF4blosFdOzXXLZaedTtjxl
mffBPMMfnGYes7Ovj8c/MIs+/7UDQSmXfHy8ButPESX8sCn3bQJ+6GUt25oMxk7H
UDuJNHS9pszM1yKpJd1aaYswQFMCgYEA4QhR+/MQiL7+uv3lBDZj+YnamfTPNc8T
Yj0rqmTilj7XNOuwAyqD/93zHhiq32Y1OlXtV3RQ8/wbG2wWZVoD1rr5vpGjt4cO
mEcWPSCBAIA61tjuEa1Gf1LKW5NIt0rfaha3nja5bQ5CH0oP1WNQPoTGVYX/LUhG
ED5AOS7CwHECgYBcsX6erOTwG5ISWfaYVFoe6TMJIZFbW3uHaxR2kDmYiLyck33t
ALv52EyNU08ZiIlnoaJRIoUqYsGq1oyeoCyYjTP251NE3u6vEpfpUv+xa13ES83/
V3JftN5Z83fkAq2W6dMwCQ35S5XkLBoqr8rFlgMPMWBsWZt90dbCo199nwKBgBNI
kz3z5kbRlyKO/0ENKCQKHCF1SQxjYlXYyBUh8AjP+cEfMUYULpuOeXbqxjm+mHEX
S+9imE1QHUKMUJ7+x7Vu8FfUQyNG/4ktDkrOrj9Mvb4LeNsq7g+bGJwgUuriD6MX
r0RvjBQ8VI452oF+sTGqTxSlFujaeKaLrxU3XJkBAoGBANrzsUqEOQoIv9/KW/ls
BjXxGyKqrsnIjB7x0GCmncQoeqB3ADPisyxf45Oiz39W/4s3mz9KKpy5EvJAynsZ
oiWhErOhJoGER/DnziBE4TPUPjibUf7tahIqNOIxd+FJzK4mbOwMmhbpxIfNkdDv
xyLJt4Bq0TJk5knLD+w9Q0+2
-----END PRIVATE KEY-----

13
docker-compose.yml
View file

@ -3,20 +3,25 @@ version: '3.6'
services: services:
api: api:
build: ./app build: ./app
command: gunicorn reimbursinator.wsgi:application --bind 0.0.0.0:81 command: gunicorn reimbursinator.wsgi:application --bind 0.0.0.0:444 --keyfile /etc/ssl/selfsigned.key --certfile /etc/ssl/selfsigned.crt
volumes: volumes:
- ./app/:/usr/src/app/ - ./app/:/usr/src/app/
- ./config/selfsigned.key:/etc/ssl/selfsigned.key
- ./config/selfsigned.crt:/etc/ssl/selfsigned.crt
ports: ports:
- 8001:81 - "8444:444"
environment: environment:
- SECRET_KEY=please_change - SECRET_KEY=please_change
web: web:
image: nginx:1.10.3 image: nginx:1.10.3
volumes: volumes:
- ./static:/usr/share/nginx/html - ./static:/usr/share/nginx/html
- ./config/default.conf:/etc/nginx/conf.d/default.conf
- ./config/selfsigned.key:/etc/ssl/selfsigned.key
- ./config/selfsigned.crt:/etc/ssl/selfsigned.crt
ports: ports:
- "8000:80" - "8443:443"
environment: environment:
- NGINX_HOST=reimbursinator.com - NGINX_HOST=reimbursinator.com
- NGINX_PORT=80 - NGINX_PORT=443
command: /bin/bash -c "exec nginx -g 'daemon off;'" command: /bin/bash -c "exec nginx -g 'daemon off;'"